Disaster Key Recovery - Unix

Henry Hertz Hobbit hhhobbit at securemecca.net
Sat Oct 14 11:21:42 CEST 2006


============================
DISASTER RECOVERY 101 (Unix)
----------------------------
SAVING YOUR KEY AND REBUILDING THE DATABASE
===========================================

If you are having trouble with your gpg commands but can still
see your OWN key (pub, all subs and all uids) contents and can
still send / receive both signed and encrypted email to somebody
else these steps MAY get you back to a sane condition.  THERE IS
NO GUARANTEE IT WILL DO IT THOUGH!  If you can't send or receive
either encrypted or signed messages, you are most likely hosed
and should start over.  You can do the following as an
experiment because you will learn something by doing it.  When I
say trouble, I mean you are getting warning messages like these
(there are more of them) when you execute gpg commands:

gpg: [don't know]: invalid packet (ctb=20)
gpg: key export failed: invalid packet

In all of the following, something after a "$" is a command you
should type.  Something after a "#" is a comment.  If it is a
"Command> ", that is inside gpg and is also something you should
type.  The instructions assume you are using a bash, a sh, or a
ksh shell.  If you are using csh, switch to one of these other
shells by typing "bash", "ksh" or "sh" before doing Step 2 via
Method Two.  All other instructions should work okay in csh or
tcsh.

[1] EXPORT your secret keys

    $ cd
    $ umask 077
    $ gpg --export-secret-keys > secret-keys.gpg
    $ ls -l secret-keys.gpg
    # you should have SOMETHING in the file.
    $ gpg --list-keys | more
    # write down your pub and sub keyid numbers.

    You must have SOMETHING in the secret-keys.gpg file.  If
    it's size is zero, skip to step 3 and do those commands,
    and then start over.  Just because you have something in
    the file does NOT mean it is going to work.

[2] BACK UP what you have in either of the following two ways
    (or do it another way if you prefer to do it another way):

    Method One:
    -----------
    $ cd
    $ umask 077
    $ tar -c ./.gnupg | gzip -9 > gnupg.tar.gz
    # you get this back with:
    # $ rm -fr .gnupg
    # $ gzip -dc gnupg.tar.gz | tar -xvf -
    # now you know how to go back to what you had.

    Method Two:  (requires bash, sh, or ksh)
    -----------
    $ cd
    $ umask 077
    $ mkdir savgnupg
    $ cd .gnupg
    $ for FILE in pubring* random* secring* trustdb*; do \
    cp -fp ../savgnupg; done
    # To get them back you would type:
    # $ cd ; cd savgnupg
    # $ for FILE in pubring* random* secring* trustdb*; do \
    # cp -fp ../.gnupg; done
    # now you know how to go back to what you had.

[3] REMOVE all of your keys, trust data base and the random
    seed:
    $ cd ; cd .gnupg
    $ rm -f pubring* secring* trustdb* random*
    # do NOT remove your gpg.conf file

[4] CREATE a new temporary (bogus) signing key:
    $ cd
    $ gpg --gen-key
    # Pick either DSA or RSA sign only, real name foobar,
    # and email name of foobar at bogus.com with no comment.
    # give it an expire date of 1 month or less.  Play Mahjongg
    # tiles or do something else as it creates the key.
    $ gpg --list-keys
    # If this doesn't work you will have to reinstall GnuPG
    # or your Operating System!

[5] REIMPORT your previous keys:
    $ gpg --import secret-keys.gpg
    $ gpg --list-keys
    # you should have your previous key and the signing key
    # compare the key numbers with what you wrote down in
    # step number 1. They should match.  If they don't you
    # are through.  Do step 3 and start over.

[7] DELETE the bogus key and your file now:
    $ gpg --list-secret-keys
    # find the key number for foobar after the 1024D/ or
    # 1024R/, for example lets say it is BC072EED.
    $ gpg --delete-secret-keys BC072EED
    Delete this key from the keyring? (y/N) y
    This is a secret key! - really delete? (y/N) y
    $ gpg --list-secret-keys
    # you should now have only your original secret key.  The
    # secret side of foobar should be gone.
    $ gpg --list-keys
    # again, you should see the public side of foobar
    $ gpg --delete-key BC072EED

    pub  1024D/BC072EED 2006-10-14 foobar <foobar at bogus.com>

    Delete this key from the keyring? (y/N) y

    $ gpg --list-keys
    $ gpg --list-secret-keys
    # you should have only your original key.
    # if you are okay do the next step
    $ rm -f secret-keys.gpg

[8] IMPORT somebody ELSE'S key and sign it; Werner's signing
    key for example.
    $ cd $TO_WHERE_WERNERS_PUB_KEY_IS
    $ sha1sum WernerKoch.asc
    c151479c9231455f18bccd09e3423679683a9ba9  WernerKoch.asc
    # It matches what I have off the computer.  Hopefully
    # somebody hasn't taken advantage of the SHA1 weakness.
    $ gpg -a --import WernerKoch.asc
    $ gpg --list-keys
    # some output omitted
    pub   1024D/57548DCD 1998-07-07 [expired: 2005-12-31]
    uid                  Werner Koch (gnupg sig) <dd9jn at gnu.org>

    pub   1024R/1CE0C630 2006-01-01 [expires: 2008-12-31]
    uid                  Werner Koch (dist sig) <dd9jn at gnu.org>

    $ gpg --delete-key 57548DCD
    $ gpg --edit-key 1CE0C630
    Command> # SIGN TO THE LEVEL YOU KNOW THIS KEY IS REALLY HIS
    # beats me if it really is his key - others seem to think it
    # is and it verifies GnuPg as valid.
    Command> save
    $ gpg --list-secret-keys
    $ gpg --list-keys

If everything looks okay after step 8, then import somebody's
key that you regularly send encrypted and or signed email to.
Then do the usual tests of both of you sending:

a. Signed email
b. Encrypted email
c. Signed & encrypted email

If all of them work fine both ways, then you are probably okay.
NOW DO STEP 2 AGAIN AND STORE IT IN A SAFE PLACE.  DO IT OFTEN!
BACK UP, BACK UP, BACK UP, BACK UP, BACK UP, BACK UP, BACK UP!

Henry Hertz Hobbit





More information about the Gnupg-users mailing list